The problem Private {POAP} solves

POAPs are a trend that gained large traction in the last couple of years of the crypto scene developments. These days, many events and booths on events allow visitors to mint a POAP in recognition of their presence. While that motivates people to move around and collect those NFTs, it also results in privacy related problems.

Overall, we see three dimensions of potential issues:

Link of identity and location based on people's Ethereum wallet address - possibly linked with ENS, UD or Twitter - and POAPs that indicate where they were at a certain point.
Link of relationships, based on POAPs' timestamp property, which allows to determine the likelihood of people to have a real-life relationship
Learning and forging profiles of identities based on POAP collection analytics and dusting attacks on publicly known Ethereum wallet addresses

This becomes immediately visible when inserting your Ethereum address on etherscan.io or using our Dune query so that you can uncover all minted POAPs related to the supplied address. From here, you can also query timestamps and build links to other wallets, that minted the same POAP.

Challenges we ran into

During the different phases of our hackathon project we faced different obstacles. We went through a phase of ideation, testing and boiling it down to a working PoC.

The first phase saw us struggle to determine the main pain point we could mitigate during a hackathon. Following lengthy discussions, we went for a seemingly simple setup to draft a privacy preserving wallet derivation technique.

Then we got into the stage of testing our ideas and delving into research about relevant services to solve our problems of wallet derivation(*1), token balance querying and POAP minting. Herein, we struggled to identify the most lean frameworks to build on. Taking in the crowd support at EthBerlin, we ended up with the Dune API and POAP Api as suitable building blocks.

This moved us into the PoC development phase. The main hurdle was to acquire the API keys and understand the actual API implementation that fulfills our idea of automagic single-use wallet creation and POAP minting without user intervention.
Once we got the HTTP requests going to query POAP balance of Ethererum wallets with the Dune API and mint POAPs with POAP API, we struggled with CORS errors that took time to resolve.

Open points are a secure handling of the API keys to avoid API key steal and misuse and a mechanism to recover a Private POAP wallet with the mnemonic seed. Additionally, a secure way to persist the mnemonic seed is not implemented as of now.

(*1) create multiple, untraceable wallets; based on BIP39